engine/features/api/authorization/memberships.feature

226 lines
7.5 KiB
Gherkin
Raw Normal View History

2012-04-30 19:29:32 +00:00
Feature: Memberships
In order to ensure memberships are not tampered with
As an admin, designer or author
I will be restricted based on my role
Background:
Given I have the site: "test site" set up with id: "4f832c2cb0d86d3f42fffffb"
And I have accounts:
| email | id |
| new-user@a.com | 4f832c2cb0d86d3f42fffffc |
And I have memberships:
| email | role | id |
| admin@a.com | admin | 4f832c2cb0d86d3f42fffffd |
| designer@a.com | designer | 4f832c2cb0d86d3f42fffffe |
| author@a.com | author | 4f832c2cb0d86d3f42ffffff |
Scenario: As an unauthenticated user
Given I am not authenticated
When I do an API GET to memberships.json
Then the JSON response at "error" should be "You need to sign in or sign up before continuing."
# listing memberships
Scenario: Accessing memberships as an Admin
Given I have an "admin" API token
When I do an API GET request to memberships.json
Then the JSON response should be an array
And the JSON response should have 4 entries
Scenario: Accessing memberships as a Designer
Given I have a "designer" API token
When I do an API GET request to memberships.json
Then the JSON response should be an array
And the JSON response should have 4 entries
Scenario: Accessing memberships as an Author
Given I have an "author" API token
When I do an API GET request to memberships.json
Then an access denied error should occur
# showing membership
Scenario: Accessing membership as an Admin
Given I have an "admin" API token
When I do an API GET request to memberships/4f832c2cb0d86d3f42fffffd.json
Then the JSON response at "email" should be "admin@a.com"
When I do an API GET request to memberships/4f832c2cb0d86d3f42fffffe.json
Then the JSON response at "email" should be "designer@a.com"
When I do an API GET request to memberships/4f832c2cb0d86d3f42ffffff.json
Then the JSON response at "email" should be "author@a.com"
Scenario: Accessing membership as a Designer
Given I have a "designer" API token
When I do an API GET request to memberships/4f832c2cb0d86d3f42fffffd.json
Then the JSON response at "email" should be "admin@a.com"
When I do an API GET request to memberships/4f832c2cb0d86d3f42fffffe.json
Then the JSON response at "email" should be "designer@a.com"
When I do an API GET request to memberships/4f832c2cb0d86d3f42ffffff.json
Then the JSON response at "email" should be "author@a.com"
Scenario: Accessing membership as an Author
Given I have an "author" API token
When I do an API GET request to memberships/4f832c2cb0d86d3f42fffffe.json
Then an access denied error should occur
# create membership
Scenario: Creating new membership as an Admin
Given I have an "admin" API token
When I do an API POST to memberships.json with:
"""
{
"membership": {
"site_id": "4f832c2cb0d86d3f42fffffb",
"account_id": "4f832c2cb0d86d3f42fffffc"
}
}
"""
When I do an API GET request to memberships.json
Then the JSON response should be an array
And the JSON response should have 5 entries
Scenario: Creating new membership as a Designer
Given I have a "designer" API token
When I do an API POST to memberships.json with:
"""
{
"membership": {
"site_id": "4f832c2cb0d86d3f42fffffb",
"account_id": "4f832c2cb0d86d3f42fffffc"
}
}
"""
When I do an API GET request to memberships.json
Then the JSON response should be an array
And the JSON response should have 5 entries
Scenario: Creating new membership as an Author
Given I have an "author" API token
When I do an API POST to memberships.json with:
"""
{
"membership": {
"site_id": "4f832c2cb0d86d3f42fffffb",
"account_id": "4f832c2cb0d86d3f42fffffc"
}
}
"""
Then an access denied error should occur
Scenario: Created membership should always be Author
Given I have an "admin" API token
When I do an API POST to memberships.json with:
"""
{
"membership": {
"site_id": "4f832c2cb0d86d3f42fffffb",
"account_id": "4f832c2cb0d86d3f42fffffc",
"role": "admin"
}
}
"""
When I do an API GET request to memberships.json
Then the JSON response should be an array
And the JSON response should have 5 entries
And the JSON at "4/role" should be "author"
# update membership
Scenario: Updating membership as an Admin
Given I have an "admin" API token
When I do an API PUT to memberships/4f832c2cb0d86d3f42ffffff.json with:
"""
{
"membership": {
"role": "admin"
}
}
"""
When I do an API GET request to memberships/4f832c2cb0d86d3f42ffffff.json
Then the JSON response at "role" should be "admin"
Scenario: Updating membership as a Designer
Given I have a "designer" API token
When I do an API PUT to memberships/4f832c2cb0d86d3f42ffffff.json with:
"""
{
"membership": {
"role": "admin"
}
}
"""
When I do an API GET request to memberships/4f832c2cb0d86d3f42ffffff.json
Then the JSON response at "role" should be "author"
When I do an API PUT to memberships/4f832c2cb0d86d3f42ffffff.json with:
"""
{
"membership": {
"role": "designer"
}
}
"""
When I do an API GET request to memberships/4f832c2cb0d86d3f42ffffff.json
Then the JSON response at "role" should be "designer"
Scenario: Updating membership as an Author
Given I have a "author" API token
When I do an API PUT to memberships/4f832c2cb0d86d3f42ffffff.json with:
"""
{
"membership": {
"role": "admin"
}
}
"""
Then an access denied error should occur
When I do an API PUT to memberships/4f832c2cb0d86d3f42ffffff.json with:
"""
{
"membership": {
"role": "designer"
}
}
"""
Then an access denied error should occur
When I do an API PUT to memberships/4f832c2cb0d86d3f42ffffff.json with:
"""
{
"membership": {
"role": "author"
}
}
"""
Then an access denied error should occur
# destroy membership
Scenario: Destroying membership as an Admin
Given I have an "admin" API token
When I do an API GET request to memberships.json
Then the JSON response should be an array
And the JSON response should have 4 entries
When I do an API DELETE to memberships/4f832c2cb0d86d3f42ffffff.json
When I do an API GET request to memberships.json
Then the JSON response should be an array
And the JSON response should have 3 entries
Scenario: Destroying membership as a Designer
Given I have a "designer" API token
When I do an API GET request to memberships.json
Then the JSON response should be an array
And the JSON response should have 4 entries
When I do an API DELETE to memberships/4f832c2cb0d86d3f42ffffff.json
When I do an API GET request to memberships.json
Then the JSON response should be an array
And the JSON response should have 3 entries
When I do an API DELETE to memberships/4f832c2cb0d86d3f42fffffe.json
Then an access denied error should occur
When I do an API DELETE to memberships/4f832c2cb0d86d3f42fffffd.json
Then an access denied error should occur
Scenario: Deleting membership as an Author
Given I have a "author" API token
When I do an API DELETE to memberships/4f832c2cb0d86d3f42fffffe.json
Then an access denied error should occur